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Abstract 



r ) | In this work, pseudorandonr sequence generators based on finite fields 

have been analyzed from the point of view of their cryptographic applica- 
tion. In fact, a class of nonlinear sequence generators has been modelled 
in terms of linear cellular automata. The algorithm that converts the 
given generator into a linear model based on automata is very simple and 
is based on the concatenation of a basic structure. Once the generator 
has been linearized, a cryptanalytic attack that exploits the weaknesses of 
such a model has been developed. Linear cellular structures easily model 
sequence generators with application in stream cipher cryptography. 
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1 Introduction 

Confidential information must be encrypted by means of a mathematical func- 
k> \ tion currently called cipher that converts the original information {plaintext) 

5_j ■ into the ciphered information (ciphertext) . Symmetric cryptography is usually 

divided into two large classes [5T|: stream ciphers and block-ciphers. Stream 
ciphers encrypt each data symbol into a ciphertext symbol under a time- varying 
transformation. Block-ciphers divide the plaintext into blocks of symbols and 
by means of a specially constructed function mix the block of plaintext with the 
secret key in order to produce the block of ciphertext. 

Stream ciphers are very fast (in fact, the fastest among the encryption pro- 
cedures) so they are implemented in many technological applications e.g. al- 
gorithms A5 in GSM communications or the encryption system EO used in the 
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Bluetooth specifications or the RC4 function for the application Excel of Mi- 
crosoft. Stream ciphers try to imitate the ultimate one-time pad cipher |21j and 
are supposed to be good pseudorandom generators capable of stretching a short 
secret seed (the secret key) into a long sequence of seemingly random bits (the 
keystream sequence). This sequence is then bit- wise XORed with the plaintext 
in order to obtain the ciphertext. Finite fields are used in most of the construc- 
tions of pseudorandom sequences either under the form of Cellular Automata 
(CA) or under the form of traditional Linear Feedback Shift Registers (LFSRs). 

Cellular Automata (CA) are particular forms of finite state machines that 
can be investigated by the usual analytic techniques ([TO], [IE], [2S], US)- CA 
have been used in application areas so different as physical system simulation, 
biological process, species evolution, socio-economical models or test pattern 
generation. They are defined as arrays of identical cells in an n-dimensional 
space and characterized by different parameters [27] : the cellular geometry, the 
neighborhood specification, the number of contents per cell and the transition 
rule to compute the successor state. Their simple, modular and cascable struc- 
ture makes them very attractive for VLSI implementations. 

On the other hand, LFSRs [TTJ are linear structures currently used in the 
generation of pseudorandom sequences. The inherent simplicity of LFSRs, their 
ease of implementation and the good statistical properties of their output se- 
quences turn them into natural building blocks for the design of pseudorandom 
sequence generators with applications in spread-spectrum communications, cir- 
cuit testing, error-correcting codes, numerical simulations or cryptography. 

In recent years, one-dimensional CA have been proposed as an alternative to 
LFSRs ([2], [3], [20], [27]) in the sense that every sequence generated by a LFSR 
can be obtained from one-dimensional CA too. In cryptographic applications, 
pseudorandom sequence generators currently involve several LFSRs combined 
by means of nonlinear functions or irregular clocking techniques (see [19) . |21j). 
Moreover in [22] , it is proved that one-dimensional linear CA are isomorphic to 
conventional LFSRs. Thus, the latter structures can be simply substituted by 
the former ones in order to accomplish the same goal: generation of keystream 
sequences. 

The above class of linear C A has been found to satisfy randomness properties 
with application in the testing of digital circuits and self-checking 28 . The 
current interest of these CA stems from the lack of correlation between the 
bit sequences generated by adjacent cells, see [9]. In this sense, linear CA are 
superior to the more common LFSRs [11] that have been traditionally used 
in stream ciphers. Nevertheless, the main advantage of CA is that multiple 
generators designed as nonlinear structures in terms of LFSRs preserve the 
linearity when they are expressed under the form of CA. 

This paper considers the problem of finding one-dimensional CA that re- 
produce the output sequence of a particular LFSR-based generator. More pre- 
cisely, in this work a wide class of LFSR-based nonlinear generators, the so- 
called Clock-Controlled Shrinking Generators (CCSGs) [15], can be described 
in terms of one-dimensional CA configurations. Indeed, the well known Shrink- 
ing Generator [8] is just an element of such a class. The automata here presented 



unify in a simple structure the above mentioned class of sequence generators. 
The algorithm that converts a given CCSG into a CA-based linear model is 
very simple and can be applied to CCSGs in a range of practical interest. The 
underlying idea of this modelling procedure is the concatenation of a basic au- 
tomaton. Once the generators have been linearized, a cryptanalytic approach 
to reconstruct the generated sequence is also presented. 

The paper is organized as follows: in section 2, the basic structures consid- 
ered, e.g. one-dimensional CA and CCSGs, are introduced. A simple algorithm 
to determine the pair of CA corresponding to a particular shrinking generator 
and its generalization to Clock-Controlled Shrinking Generators are given in 
sections 3 and 4, respectively. A method of reconstructing the generated se- 
quence that exploits the linearity of the CA-based model is presented in section 
5. Finally, conclusions in section 6 end the paper. 

2 Basic Structures 

In the following subsections, we introduce the general characteristics of the basic 
structures we are dealing with: linear feedback shift registers, one-dimensional 
cellular automata, the shrinking generator and the class of clock-controlled 
shrinking generators. The work is restricted to binary structures, that is the 
contents of CA as well as those of LFSRs belong to GF(2). 

2.1 Linear Feedback Shift Registers 

A binary LFSR is an electronic device with L memory cells (stages), numbered 
0, 1, ...,£ — 1, each of one capable of storing one bit. The binary content of the L 
stages at each unit of time is the state of the LFSR at that instant. In addition, 
a clock controls the shift of data. At each unit of time the following operations 
are performed: (i) The content of stage is output ; (ii) the content of stage 
i is moved to stage i — 1 for each i, 1 < i < L — 1; (iii) The new content of 
stage L — 1 is the exclusive-OR of a subset of stages given by P(x), that is the 
LFSR connection polynomial. If P(x) is a primitive polynomial of degree L |17j . 
then the LFSR is called a maximum-length LFSR and its output sequence is a 
P./V-sequence. Period, balancedness, run distribution and correlation properties 
of PiV-sequences have been exhaustively studied in the literature, see [IT] and 
[19]. In the sequel, only maximum- length LFSRs will be considered. 

2.2 One-Dimensional Cellular Automata 

One-dimensional cellular automata can be described as X-cell registers 14! , whose 
cell contents are updated at the same time instant according to a particular k- 
variable function (the transition rule) denoted by $. If the function $ is a linear 
function, so is the cellular automaton. In addition, for cellular automata with 
binary contents there can be up to 2 2 different mappings to the next state. 
Moreover, if k = 2r + 1, then the binary content of the i-th cell at time t + 1 



depends on the contents of k neighbor cells at time t in the following way: 



„t+i 



X ; 



${x\_ r ,...,x\,...,x\ +r ) (i = l,...,L). (1) 



The number of cells L (numbered from left to right) is the length of the 
automaton. CA are called uniform whether all cells evolve under the same rule 
while CA are called hybrid whether different cells evolve under different rules. 
At the ends of the array, two different boundary conditions are possible: null 
automata when cells with permanent null contents are supposed adjacent to the 
extreme cells or periodic automata when extreme cells are supposed adjacent. 

In this paper, only transition rules with k — 3 will be considered. Thus, 
there are 2 8 of such rules among which just two (rule 90 and rule 150) lead to 
non trivial machines. Such rules are described as follows : 
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Rule 90 
= §< M {x\_ l ,x\,x\ +1 ) =x\_ 1 +. 



■i+l 



111 110 101 100 011 010 001 000 
10 110 10 



Rule 150 

x i — ^150\ x i—l> x ij ^i+l) — x i-\ + x i + x i+l 

111 110 101 100 011 010 001 000 
10 10 110 

Remark that the names rule 90 and rule 150 derive from the decimal values 
of their next-state functions: 01011010 (binary) = 90 (decimal) and 10010110 
(binary) = 150 (decimal). Indeed, x* +1 the content of the i-th cell at time t + 1 
depends on the contents of either two different cells (rule 90) or three different 
cells (rule 150) at time t. The symbol + denotes addition modulo 2 among 
cell contents. Remark that both transition rules are linear. This work deals 
exclusively with one-dimensional linear null hybrid CA with rules 90 and 150. 
A natural way of specifying such CA is an L-tuple M = [Ri, i?2, •■•, Rl), called 
rule vector, where Ri = if the i-th cell satisfies rule 90 while R4 = 1 if the 
i-th cell satisfies rule 150. A sub-automaton of the previous automata class 
consisting of cells 1 through i will be denoted by RiR2---Ri- 

For a cellular automaton of length L = 10 cells, configuration rules ( Ri = 
0,i?2 = l,i?a = l,i?4 = 1 7 ^5 = 0, i?e = 0, Rf = l,i?8 = 1, -R9 = 1,-Rio = 0) 
and initial state (0, 0, 0, 1, 1, 1, 0, 1, 1, 0), Table Q] illustrates the formation of its 
output sequences (binary sequences read vertically) and the succession of states 
(binary configurations of 10 bits read horizontally). For the above mentioned 
rules, the different states of the automaton are grouped in closed cycles. The 
number of different output sequences for a particular cycle is < L as the same 
sequence (although shifted) may appear simultaneously in different cells. At 



Table 1: An one-dimensional linear null hybrid cellular automaton of 10 cells 
with rules 90/150 starting at a given initial state 
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the same time, all the sequences in a cycle will have the same period and linear 
complexity [15] . Moreover, any of the output sequence of the automaton can be 
produced at any cell provided that the right state cycle is chosen. 

On the other hand, linear finite state machines are currently represented and 
analyzed by means of their transition matrices. The form and characteristics of 
these matrices for the CA under consideration can be found in [4|. In fact, such 
matrices are tri-diagonal matrices with the rule vector on the main diagonal, l's 
on the diagonals below and above the main one and all other entries being zero. 
Every automaton is completely specified by its characteristic polynomial, that 
is the characteristic polynomial of its transition matrix. Such a characteristic 
polynomial can be computed in terms of the characteristic polynomials of the 
previous sub-automata according to the recurrence relation [4]: 

Pi{x) = (x + Ri)Pi-i(x)+Pi-2{x), 0<i<L (2) 

being P-i(x) — and Po{x) = 1. Next, the following definition is introduced: 

Definition 2.1 A Multiplicative-Polynomial Cellular Automaton is defined as 
a cellular automaton whose characteristic polynomial is a reducible polynomial 
of the form Pm (x) = (P(x)) p where p is a positive integer. If P(x) is a primitive 
polynomial, then the automaton is called a Primitive Multiplicative- Polynomial 
Cellular Automaton. 

The class of binary sequence generators we are dealing with is described in the 
following subsections. 

2.3 The Shrinking Generator 

The shrinking generator is a binary sequence generator [5J composed by two 
LFSRs : a control register SR\ that decimates the sequence produced by the 



other register SR 2 . We denote by Lj (J = 1, 2) their corresponding lengths with 
(Li,L 2 ) — 1 as well as L\ < L 2 . Then, we denote by Cj(x) e GF{2)[x] (j = 
1,2) their corresponding characteristic polynomials of degree Lj (j = 1,2), 
respectively. 

The sequence produced by SRi, denoted by {a^}, controls the bits of the se- 
quence produced by SR 2 , that is {h}, which are included in the output sequence 
{zj} (the shrunken sequence), according to the following rule P: 

1. If eij = 1 =>■ Zj = hi 

2. If a,i = ==> hi is discarded. 

A simple example illustrates the behavior of this structure. 
Example 2.2 Let us consider the following LFSRs: 

1. Register SR\ of length L\ = 3, characteristic polynomial C\{x) = l + x 2 + 
x 3 and initial state ISi — (1,0,0). The PN-sequence generated by SRi is 
{1, 0, 0, 1, 1, 1, 0} with period 7\ = 2 Ll - 1 = 7. 

2. Register SR2 of length L 2 = 4, characteristic polynomial C 2 (x) = l+x+x A 
and initial state IS 2 = (1,0,0,0). The PN-sequence generated by SR 2 is 
{1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1} with period T 2 = 2 Ls - 1 = 15. 

The output sequence {zj} is given by: 

• {a l } -^1001110100111010011101 

• {b.i\ -)■ 1000 10011010 1111000 100 

• {zj} -►1010110110010 

The underlined bits Oorlin {b{\ are discarded. 

In brief, the sequence produced by the shrinking generator is an irregular 
decimation of {bi} from the bits of {ai}. According to [8], the period of the 
shrunken sequence is 

T= (2 L2 - l)2 (Ll " 1) (3) 

and its linear complexity [21] . notated LC, satisfies the following inequality 

L 2 2 {Ll - 2) <LC< L 2 2 (Ll ~ 1) . (4) 

A simple calculation, based on the fact that every state of SR 2 coincides once 
with every state of SRi , allows one to compute the number of 1 's in the shrunken 
sequence. Such a number is constant and equal to 

No. l' s = 2 (i2 - 1) 2 (Ll - 1) . (5) 

Comparing period and number of l's, it can be concluded that the shrunken 
sequence is a quasi-balanced sequence. 

In addition, it can be proved [8] that the output sequence has good distribu- 
tional statistics too. Therefore, this scheme is suitable for practical implemen- 
tation of stream ciphers and pattern generators. 



2.4 The Clock-Controlled Shrinking Generators 

The Clock-Controlled Shrinking Generators constitute a wide class of clock- 
controlled sequence generators |15j with applications in cryptography, error cor- 
recting codes and digital signature. An CCSG is a sequence generator com- 
posed of two LFSRs notated SR\ and SR,2- The parameters of both regis- 
ters are defined as those of subsection 12.31 At any time t, SRi (the control 
register) is clocked normally while the second register SR2 is clocked a num- 
ber of times given by an integer decimation function notated X t . In fact, if 
Ao(t), Ai(t), . . . , AL 1 -i(t) are the binary cell contents of SRi at time t, then 
Xt is defined as 

X t = l + 2°A ta (t) + 2 1 A tl (t) + ... + 2 w ~ l A iw _ x {t) (6) 

where io, i\, • ■ • , i w -i 6 {0, 1, . . . , L\ — 1} and < w < L\ — 1. 

In this way, the output sequence of an CCSG is obtained from a double 
decimation: 

1. The output sequence of SR2, {bi}, is decimated by means of Xt giving 
rise to the sequence {b^}. 



2. The same decimation rule P, defined in subsection 12.31 is applied to the 
sequence {b^}. 

Remark that if X t = 1 (no cells are selected in SRi), then the proposed gener- 
ator is just the shrinking generator. Let us see a simple example of CCSG. 

Example 2.3 For the same LFSRs defined in the previous example and the 
function Xt = 1 + 2°Ao(t) with w = I, the decimated sequence {b'j} is given by: 

• {k} ->■ 1000 1001101 011 I 1000100 110 101111 

• X t ^2112221211222121122 

• {^} ^10010110111010101011 

According to the decimation function X t , the underlined bits or 1 in {bi} are 
discarded in order to produce the sequence {b^}. Then the output sequence {zj} 
of the CCSG is given by: 

• {a t } -+1001110100111010011101 

• {b'i\ -> 10010110111010101011 

• {zj} -+110101011011 

The underlined bits or 1 in {b[} are discarded. 



In brief, the sequence produced by an CCSG is an irregular double decima- 
tion of the sequence generated by SR2 from the function X t and the bits of SRi . 
This construction allows one to generate a large family of different sequences by 
using the same LFSR initial states and characteristic polynomials but modifying 
the decimation function. Period, linear complexity and statistical properties of 
the generated sequences by CCSGs have been established in [T5] . 

2.5 Cattel and Muzio Synthesis Algorithm 

The Cattell and Muzio synthesis algorithm [5 presents a method of obtaining 
two CA (based on rules 90 and 150) corresponding to a given polynomial. Such 
an algorithm takes as input an irreducible polynomial Q(x) 6 GF(2)[x] defined 
over a finite field and computes two linear reversal CA whose output sequences 
have Q{x) as characteristic polynomial. Such CA are written as binary strings 
with the previous codification: = rule 90 and 1 = rule 150. The theoretical 
foundations of the algorithm can be found in [7] . The total number of operations 
required for this algorithm is listed in [5] (Table II, page 334) . It is shown that 
the number of operations grows linearly with the degree of the polynomial, so 
the method does not suffer from any sort of exponential blow-up. The method 
is efficient for all practical applications (e.g. in 1996 finding a pair of length 
300 CA took 16 CPU seconds on a SPARC 10 workstation). For cryptographic 
applications, the degree of the irreducible (primitive) polynomial is L 2 « 64, so 
that the consuming time is negligible. 

Finally, a list of One-Dimensional Linear Hybrid Cellular Automata of De- 
gree Through 500 can be found in |5]. 

3 CA-Based Linear Models for the Shrinking 
Generator 

In this section, an algorithm to determine the pair of CA corresponding to 
a given shrinking generator is presented. Such an algorithm is based on the 
following results: 

Lemma 3.1 The characteristic polynomial of the shrunken sequence is of the 
form P(x) , where P(x) £ GF(2)[x] is a L^-degree "primitive polynomial and 
N is an integer satisfying the inequality 2( Ll ~ 2 > < N < 2 ( - Ll ~ 1 '. 

Proof: The shrunken sequence can be written as an interleaved sequence [12] 
made out of an unique PTV-sequence starting at different points and repeated 
2(ii-i) times. Such a sequence is obtained from {bi} taking digits separated a 
distance 2 Ll — 1, that is the period of the sequence {a^}. As (2 i2 — 1, 2 Ll — 1) = 1 
due to the primality of L-i and L\, the result of the decimation of {bi} is a PN- 
sequence of primitive characteristic polynomial P(x) of degree Li. Moreover, the 
number of times that this PiV-sequence is repeated coincides with the number of 
V s in {ai} since each 1 of {a^} provides the shrunken sequence with 2 L ' 2 — 1 digits 



of {hi}. Consequently, the characteristic polynomial of the shrunken sequence 
will be P{x) N with N < 2 < ^ Ll ~ 1 \ The lower limit follows immediately from 
equation (0| that defines the linear recurrence relationship. 

Lemma 3.2 LztCiix) £ GF{2)[x\ be the characteristic polynomial of SR2 and 
let X be a root of C 2 (x) in the extension field GF(2 L2 ). Then, P(x) 6 GF(2)[x] 
is of the form 

P(x) = (x + X E )(x + X 2E ) . . . (x + \ 2L2 ~ lE ) (7) 

being E an integer given by 

E = 2° + 2 1 + ... + 2 Ll ~ 1 . (8) 

Proof: As the decimation of the sequence {bi} is realized taking one out of 2 Ll — 
1 digits, the obtained -FW-sequence is nothing but the characteristic sequence 
associated to the cyclotomic coset E — 2 Ll — 1, see [IT] . Hence, the roots 
of its characteristic polynomial will be X E , X 2E , . . . , A 2 E . According to the 
definition of cyclotomic coset, the value of E is given by equation ©. 

Remark that P(x) depends exclusively on the characteristic polynomial of 
the register SR2 and on the length L\ of the register SR\. Based on the Cattell 
and Muzio synthesis algorithm [5], the following result is derived: 

Lemma 3.3 Let Q(x) G GF(2) [x] be a polynomial defined over a finite field 
and let s± and S2 two binary strings codifying the two linear CA obtained from 
the Cattell and Muzio algorithm. Then, the two CA in form of binary strings 
whose characteristic polynomial is Q(x) 2 are: 

S' l = S l *S* i = l,2 

where Si is the binary string Si whose least significant bit has been complemented, 
S* is the mirror image of Si and the symbol * denotes concatenation. 

Proof: The result is just a generalization of the Cattell and Muzio synthesis 
algorithm. The concatenation is due to the fact that rule 90 (150) at the end 
of the array in null automata is equivalent to two consecutive rules 150 (90) 
with identical sequences. The fact of that an automaton and its reversal version 
have the same characteristic polynomial completes the proof. Proceeding in the 
same way a number of times, a multiplicative-polynomial cellular automaton 
12.11 is obtained. In this way, the construction of a linear structure from the 
concatenation of a basic automaton is accomplished. 

According to the previous results, an algorithm to linearize the shrinking 
generator is introduced: 

Input: A shrinking generator characterized by two LFSRs, SRi and SR2, 
with their corresponding lengths, L\ and L2, and the characteristic polynomial 
C2{x) of the register 5*i?2- 



Step 1 From L\ and Ci(x), compute the polynomial P(x) in GF(2 L2 ) as 
P(x) = (x + \ E )(x + \ 2E ) ...(x + X 2L2 " E ) 
with £ = 2 + 2 1 + ... + 2 Ll ~ 1 . 

Step 2 From P(x), apply the Cattell and Muzio synthesis algorithm to deter- 
mine two linear CA (with rules 90 and 150), notated Sj, whose character- 
istic polynomial is P{x). 

Step 3 For each s, separately, proceed: 

3.1 Complement its least significant bit. The resulting binary string is 
notated Si. 

3.2 Compute the mirror image of Si, notated S* , and concatenate both 
strings 

3.3 Apply steps 3.1 and 3.2 to each Si recursively L\ — \ times. 

Output: Two binary strings of length L = L^ ■ 2 Ll ~ 1 codifying two CA 
corresponding to the given shrinking generator. 

Remark 3.4 In this algorithm the characteristic polynomial of the register SR\ 
is not needed. Thus, all the shrinking generators with the same SR2 but different 
registers SRi (all of them with the same length L\) can be modelled by the same 
pair of one- dimensional linear CA. 

Remark 3.5 It can be noticed that the computation of both CA is proportional 
to L\ concatenations. Consequently, the algorithm can be applied to shrinking 
generators in a range of practical application. 

Remark 3.6 In contrast to the nonlinearity of the shrinking generator, the 
CA-based models that generate the shrunken sequence are linear. 

In order to clarify the previous steps a simple numerical example is presented. 

Input: A shrinking generator characterized by two LFSRs SRi of length 
L\ = 3 and SR2 of length L2 = 5 and characteristic polynomial 62(2;) = 

1 + X + x 2 + x 4 + X 5 . 

Step 1 P(x) is the characteristic polynomial of the cyclotomic coset E = 7. 
Thus, 

P(x) = 1 + x 2 + x 5 . 

Step 2 From P(x) and applying the Cattell and Muzio synthesis algorithm, 
two reversal linear CA whose characteristic polynomial is P{x) can be 
determined. Such CA are written in binary format as: 



10 



1111 
11110 

Step 3 Computation of the required pair of CA. 
For the first automaton: 

1111 

0111001110 

01110011111111001110 

For the second automaton: 

11110 

1111111111 

1111111110 111111111 

For each automaton, the procedure of concatenation has been carried out 
L\ — 1 times. 

Output: Two binary strings of length L = L2 ■ 2 < - Ll ~ 1 ) = 20 codifying the 
required pair of CA. 

In this way, we have obtained a pair of linear CA able to generate the 
shrunken sequence corresponding to the given shrinking generator. In addition, 
for each one of the previous automata there is one state cycle where the shrunken 
sequence is generated at each one of the cells. 

4 CA-Based Linear Models for the Clock Con- 
trolled Shrinking Generators 

In this section, an algorithm to determine the pair of one-dimensional linear CA 
corresponding to a given CCSG is presented. Such an algorithm is based on the 
following results: 

Lemma 4.1 The characteristic polynomial of the output sequence of a CCSG is 
of the form P' (x) N , where P'(x) € GF(2)[x] is a primitive L2- degree polynomial 
and N is an integer satisfying the inequality 2^ Ll ~ 2 ' < N < 2 ( - Ll ~ 1 > . 

Proof: The proof is analogous to that one developed in lemma 13.11 

Remark that, according to the structure of the CCSGs, the polynomial P'(x) 
depends on the characteristic polynomial of the register SR2, the length L\ of 
the register SR\ and the decimation function X t . Before, P(x) was the charac- 
teristic polynomial of the cyclotomic coset E, where E = 2° + 2 1 + . . . + 2 Ll_1 
was a fixed separation distance between the digits drawn from the sequence {bi}. 
Now, this distance D is variable as well as a function of X t . The computation 
of D gives rise to the following result: 



11 



Lemma 4.2 Let 62(2:) G GF(2) [x] be the characteristic polynomial of SR2 and 



x 



let Xbe a root of C 2 {x) in the extension field GF{2 L2 ). Then, P'(x) G GF(2)[. 
is the characteristic polynomial of cyclotomic coset D, where D is given by 

2™ 
D = 2 Ll ~ w (Y)») - 1 = (1 + 2 W ) 2 Ll ~ l - 1. (9) 



Proof: The proof is analogous to that one developed in lemma I3~2"1 In fact, 
the distance D can be computed taking into account that the function X t takes 
values in the interval [1, 2, . . . , 2 W ] and the number of times that each one of 
these values appears in a period of the output sequence is given by 2 Ll ~ w . A 
simple computation, based on the sum of the terms of an arithmetic progression, 
completes the proof. 

From the previous results, it can be noticed that the algorithm that deter- 
mines the pair of CA corresponding to a given CCSG is analogous to that one 
developed in section [3] Indeed, the expression of E in equation ([8]) must be 
replaced by the expression of D in equation (jSJ). 

In order to clarify the previous steps a simple numerical example is presented. 

Input: A CCSG characterized by: Two LFSRs SR\ of length L x = 3 and 
SR2 of length Li — 5 and characteristic polynomial Ci (x) — 1 + X + x 2 + x A + x 5 
plus the decimation function X t = 1 + 2°A (t) + 2 1 A 1 (t) + 2 2 A 2 {t) with w = 3. 

Step 1 P'(x) is the characteristic polynomial of the cyclotomic coset D. Now 
D = 4 mod 31, that is we are dealing with the cyclotomic coset 1. Thus, 
the corresponding characteristic polynomial is: 

P'(x) = 1 + x + x 2 + x 4 + x 5 . 

Step 2 From P'{x) and applying the Cattell and Muzio synthesis algorithm, 
two reversal linear CA whose characteristic polynomial is P'{x) can be 
determined. Such CA are written in binary format as: 

10 
1 

Step 3 Computation of the required pair of CA. 
For the first automaton: 

10 

10 110 1 

10001100000000110001 

For the second automaton: 

1 

0000000000 

00000000011000000000 
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For each automaton, the procedure of concatenation has been carried out 
L\ — 1 times. 

Output: Two binary strings of length L = 20 codifying the required CA. 

Remark 4.3 From a point of view of the CA-based linear models, the shrinking 
generator or any one of the CCGS are entirely analogous. Thus, the fact of 
introduce an additional decimation function does neither increase the complexity 
of the generator nor improve its resistance against cryptanalytic attacks. Indeed, 
both kinds of generators can be linearized by the same class of CA-based models. 

5 A Cryptanalytic Approach to this Class of Se- 
quence Generators 

Since CA-based linear models describing the behavior of CCSGs have been de- 
rived, a cryptanalytic attack that exploits the weaknesses of these models has 
been also developed. It consists in determining the initial states of both regis- 
ters SRi and SR2 from an amount of CCSG output sequence (the intercepted 
sequence). In this way, the rest of the output sequence can be reconstructed. 
For the sake of simplicity, the attack will be illustrated for the shrinking gener- 
ator although the process can be extended to any CCSG. The proposed attack 
is divided into two different phases: 

Phase 1 From bits of the intercepted sequence and using the CA-based linear 
models, additional bits of the shrunken sequence can be reconstructed. 

Phase 2 Due to the intrinsic characteristics of the shrinking generator, a crypt- 
analytic attack can be mounted in order to determine the initial states of 
the LFSRs. The attack makes use of both intercepted bits as well as 
reconstructed bits. 

Both phases will be considered separately. 

5.1 Reconstruction of output sequence bits 

Given r bits of the shrunken sequence zq, z\, z%, ..., z r _i , we can assume with- 
out loss of generality that this sub-sequence has been generated at the most 
left extreme cell of any of its corresponding CA. That is x\ = zq, x* +1 = 
z\, ..., x\ +r ~ — Z r —i. From r bits of the shrunken sequence, it is always pos- 
sible to reconstruct r — 1 sub-sequences {x\} of lengths r — i + 1 at the i-th cell 
of each automaton such as follows: 

x\ = ^ i - 1 {x\_ 2 ,x\_ 1 ,x t i t\) (Kt<r), (10) 

where $i_i corresponds to either rule 90 or 150 depending on the value of R4-1. 
From r intercepted bits, the application of equation (TTOj) gives rise to a total of 
(r + (r— 1 ) + . . . + 2 + 1 ) bits that constitute the first chained sub-triangle notated 
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Al, see Tabled Now, if any sub-sequence {x\} is placed at the most left extreme 
cell, then r — 2i + 2 bits are obtained at the i-th cell in the second chained sub- 
triangle notated A2. Repeating recursively n times the same procedure, r—ni+n 
bits are obtained at the i-th cell in the n-th chained sub-triangle notated An. 
Table [3 shows the succession of 4 chained sub-triangles constructed from r = 10 
bits of the shrunken sequence {zi} — {0,0,1,1,1,0,1,0,1,1} and first rules 
Ri = i?2 = 0. In fact, the 10 initial bits generate 8 bits at the third cell in 
Al. These 8 bits are placed at the most left extreme cell producing 6 new bits 
at cell 3 in A2. With these 6 bits, we get 4 additional bits in A3. Finally, 
2 new bits are obtained at cell 3 in the sub-triangle A4. Since rules 90 and 
150 are additive, the generated sub-sequences will be sum of elements of the 
shrunken sequence. General expressions can be deduced for the elements of any 
sub-sequence in any chained sub-triangle. In fact, the i-th sub-sequence in the 
n-th chained sub-triangle includes the bits Zj corresponding to the exponents of 
(Pi^i(x)) n where Pj_i(:r) is the characteristic polynomial of the sub-automaton 
R1R2... Ri-i, see equation (0). More precisely, for the previous example the 
characteristic polynomial of the sub-automaton R1R2 is P%{x) — x 2 + 1. Then 
(P 2 (x)) 2 = x 4 + 1, (P 2 (x)) 3 = x 6 + x 4 + x 2 + 1, (P 2 (x)) i = x s + 1, . . . Hence, 
x\ in the different sub-triangles will take the form: 

x\ = zq + z 2 in Al 
x\ = zq + Z4 in A2 

x\ = Zq + Z2 + Z4 + Zq in A3 

x\ — zq + z$ in A4 . . . 

For the successive bits x^ + , Xg + , ... it suffices to add 1 to the previous subindexes. 
Table [3] shows the general expressions of the sub-sequence elements in Al and 
A2 for the example under consideration. 

On the other hand, Lemmas (13.1[) and (|3.2[) show us that the shrunken 
sequence is the interleaving of 2^ Ll_1 ' different shifts of an unique PA^-sequence 
of length 2 L2 — 1 whose characteristic polynomial P(x) is given by equation 
(0. Consequently, the elements of the shrunken sequence indexed Zdi, with 
i £ {0, 1, . . . , 2 L2 - 2} and d = 2 { - Ll ~ 1 \ belong to the same PiV-sequence. Thus, 
if the element x\ of the i-th sub-sequence in the n-th chained sub-triangle takes 
the general form: 

with 



x\ 



z kl + z k2 + ... + z kj (11) 



k=0 mod 2< Ll - 1 ) (l = l,...,j), (12) 

then x\ can be rewritten as 

x \ = z k m , (13) 

with z km satisfying equation (|12p . Therefore, {x'}, the i-th sub-sequence in 
the n-th chained sub-triangle, is just a sub-sequence of the shrunken sequence 
shifted a distance 6 from the r bits of the intercepted sequence. The value of 
S depends on the extension field GF(2 L2 ) generated by the roots of P(x). In 
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Table 2: Reconstruction of 4 chained sub-triangles from 10 bits of the shrunken 
sequence 



Al : R x R 2 



Rx 



A3 : Rx R 2 



Rx 



A2 : R x R 2 



A4 : R x R 2 



Rx 



1 


1 


1 


1 











1 





1 





1 

















1 





1 




1 







Rx 



1 1 l 

1 1 






Table 3: General expressions for different sub-sequences in Al and A2 with 
Ri = R 2 = 



Al : Ri R 2 



Rx 



A2 



Ri 



Ri 



Rx 



zo 


Zl 


za + z 2 


Zl 


Zl 


zi + zx 


Zl 


zx 


z 2 + z A 


zx 


Zi 


zx + z 5 


Zi 


Zh 


Zi + z 6 


Zh 


z% 


Zh + z-j 


z% 


z-j 


Z% + Z 8 


z-j 


z% 


Zl + z 9 


z% 


Zo, 




Zo, 







+ z 2 


zi + z 3 


Z + Zi 


+ z 3 


Z 2 + Z A 


Zl + z 5 


+ z 4 


zx + z 5 


z 2 + z 6 


+ z 5 


Z A + z 6 


zx + z 7 


+ z 6 


Zh + zj 


Zi + Zg, 


+ Z 7 


ZQ + z s 


Zh + Zo, 


+ z$ 


Z 7 + Zg 





z 7 + z 9 
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brief, the chained sub-triangles enable us to reconstruct additional bits of the 
shrunken sequence from bits of the intercepted sequence. 

The number of reconstructed bits depends on the amount of intercepted bits. 
Indeed, if we know Ni bits in each one of the PiV-sequence shifts, then the total 
number of reconstructed bits is given by: 

2(1-1 _1> N < /M\ 

e e : <i4 » 

1=1 fc=2 v 7 

The required amount of intercepted sequence is 2 Ll_1 that is exponential in the 
length of the shortest register SRi . Remark that in this reconstruction process 
both reconstructed bits as well as their positions on the shrunken sequence are 
known with absolute certainty. 

5.2 Reconstruction of LFSR Initial States 

We denote by IS± — (ao, a,\, a^, ■ ■ ■ , o,l 1 -i) the initial state of SR\ and by IS2 = 
(bo, bi, 62, ... , 6l 2 _i) the initial state of SR.2- In order to avoid ambiguities on 
the initial states, it is assumed that ao = 1, thus the first element of the shrunken 
sequence is zq — 60 ■ I n this way, the goal of this attack is to determine the sub- 
vectors (ai, 02, . . . , a^-i) as well as (61, 62, ... , &l 2 -i)- 

According to equation §5§, the period of the shrunken sequence is T = (2 La — 
1) 2^ Ll ~ l \ so that such a sequence can be written as an (2 La — 1) x {2^ Lx ~ l >) 
matrix whose elements are the bits of the shrunken sequence. Its columns 
are denoted by C±, C2, . . . , C 2 (l 1 -i) , respectively. Each column of the matrix 
is the PiV-sequence above referenced starting at different points. In addition, 
the first column C\ corresponds to the decimation of the sequence {bi} from 
SR2 by a factor (2 Ll — 1) [TT]. Thus, we can compute the position of the bits 
61, 62, . . . , &l 2 -i on such a column. Indeed, the i-th bit, bi, is at the j$ — th 
position of C\ where ji is solution of the equation: 

ji (2 Ll - 1) = i mod 2 L2 - 1 (i= 1,...,L 2 -1). (15) 

Moreover, the bits of ISi determine the initial bits of the subsequent columns 
Ci such as follows: 

Hypothesis 1 If the first bits of ISi are (ao = 1, 01 = 1), then C2 will start 
at the ji — th position of C\ given by equation \lh\ . 

Hypothesis 2 If the first bits of IS\ are (ao = 1, 01 = 0, a2 = 1), then C2 will 
start at the j<i — th position of C\ given by equation ()15[) . 



Hypothesis n If the first bits of IS\ are (ao = 1, a\ — 0, . . . , a n _i = 0, a n = 1), 
then C2 will start at the j n — th position of C\ given by equation (|15p . 
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We can formulate different hypothesis covering the first bits of I Si as well 
as each new hypothesis determines the initial bit of the following column. As 
we have intercepted and reconstructed bits in the columns C;, we can check 
the previous hypothesis until getting a contradiction. In that case, all the I Si 
starting with the wrong configuration must be rejected. The search continues 
through the configurations of aj free of contradiction by formulating new hy- 
pothesis. In brief, the attacker has not to traverse an entire search tree including 
all the initial states of SRi, but the search is concentrated exclusively on the 
configurations not exhibiting contradiction with regard to the available bits. In 
this sense, the proposed attack reduces considerably the exhaustive search over 
the initial states of SRi as many contradictions occur at the first levels of the 
tree. On the other hand, the bits of the register SR2 are easily determined as 
the starting bits of C 2 , C3, C4, . . . in each one of the non-rejected branches. An 
illustrative example of Phases 1 and 2 is presented in the next subsection. 

5.3 An Illustrative Example 

Let us consider a shrinking generator with the following parameters: L\ = 4, 
L 2 = 5, C\(x) = 1 + x 3 + x 4 and C 2 (x) = 1 + x + x 3 + x 4 + x 5 . According 
to equation ([7]), we can compute the polynomial P(x) = 1 + x + x 2 + x 4 + x 5 
while the two basic automata 10 and 1 are obtained from 
the algorithm of Cattell and Muzio. The corresponding CA of length L = 
40 are computed via the algorithm developed in section 3. Indeed, they are 
CA X = 0060110600 and CA 2 = 8C0300C031 in hexadecimal notation. In ad- 
dition, let a be a root of P{x) that is a 5 = a 4 + a 2 + a + 1 as well as a 
generator element of the extension field GF(2 L2 ). The period of the shrunken 
sequence is T = (2 L2 — 1) • 2( Ll ~ 1 ) = 248 and the number of interleaved PN- 
sequences is 2( Ll_1 ) = 8. Finally, the intercepted sequence of length r — 24 is: 
{z , zi,..., z 23 } ={l, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 1}. With 
the previous premises, we accomplish Phases 1 and 2. 
Phase 1: 

For CA\ The chained sub-triangles provide the following reconstructed bits. 
For i — 3, sub-automaton R\R 2 and ^2(2^) = x 2 + 1. 

• In A4, x l 3 — zq + zg, Xg + = zi + zg, ... , x^ ' — Z15 + z 2 $. Consid- 
ering zq , zs as the first and second element of the PTV-sequence and 
keeping in mind that in GF(2 L2 ) the equality 1 + a = a 19 holds, we 
get x\ = Z19.8 = ^152, x* 3 +1 = Z153, . . . ,x 3 +15 = zi 67 . Thus, 16 new 
bits of the shrunken sequence have been reconstructed at positions 
152,153, ...,167. 

• In A8, x\ — z + Z\6, x 3 +1 = z\ + Zu, ■ ■ ■ ,x 3 +J = z 7 + z 23 . As 
1 + a 2 = a 7 , we get x\ = z 7 .$ = z 56 , i4 +1 = z 57 , . . . ,x 3 +r = z 63 . 
Thus, 8 new bits of the shrunken sequence have been reconstructed 
at positions 56, 57, . . . , 63. 
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For CAi The chained sub-triangles provide the following reconstructed bits. 
For i = 3, sub- automaton R1R2 and P2(x) = x 2 + x + 1. 



• In A8, x\ 



Z + Z 8 + 2i 6 , X l 3 +1 



Z 2 3- As 1 



*+7 



£4-7 

«i + z 9 + Z17, ... , ir 3 T 

223-8 = Z184, ^3 



^7 + 



a 23 , we get X3 



(+1 



2191. Thus, 8 new bits of the shrunken sequence 



215 " 
2185, 

have been reconstructed at positions 184, 185, . . . , 191. 

After Phase 1, the known bits of the shrunken sequence are depicted in Table 2J 
Rows 0,1,2 correspond to intercepted bits while rows 7, 19, 20 and 23 correspond 
to reconstructed bits. The symbol — represents the unknown bits. In brief, from 
24 intercepted bits a total of 32 bits have been reconstructed. 



Table 4: The shrunken sequence produced by the shrinking generator described 
in subsection 5.3. 



h 





1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

1G 

17 

18 

19 

20 

21 

22 

23 

24 

25 

26 

27 

28 

29 

30 



1 O2 O3 O4 O5 (_/6 07 OS 
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Phase2: According to equation (fT5l) . the bits 64,02,03,04 are placed at 
positions 29, 27, 25, 23 of column C\, respectively (see the first column of Table 
QJ. On the other hand, Table 5 shows the sequences corresponding to the 
following hypothesis. 

Hypothesis 1 If the first bits of IS\ are (ao = l,ai = 1), then C^ will start 
at the 29 th position of C\ given rise to the column H\. In row 2, H\ 
and Ci have a common bit without contradiction. The union of both 
sequences allows us to construct C\ the second column of the matrix for 
this hypothesis. A total of 13 bits are then known in C\. 

Hypothesis 2 If the first bits of IS\ are (ao = 1, <X\ = 0, a^ = 1), then C2 will 
start at the 27" 1 position of C\ given rise to the column H^- In row 23, 
Hi and Ci have a common bit with contradiction (starred bits). Thus, 
the initial states of SR\ starting with bits 101 must be rejected. 

Hypothesis 3 If the first bits of IS\ are (ao = 1, 01 = 0, ai = 0, 03 = 1), then 
C2 will start at the 25 th position of C\ given rise to the column H3. In 
row 7, H3 and Ci have a common bit without contradiction. The union of 
both sequences allows us to construct C\ the second column of the matrix 
for this hypothesis. A total of 13 bits are then known in Cf . 

Hypothesis 4 If the first bits of IS\ are (ao = 1, 01 = 0, ai = 0, 0,3 = 0, 04 = 
1), then Ci will start at the 23 th position of C\ given rise to the column 
if 4. In row 0, H.% and Ci have a common bit with contradiction (starred 
bits). Thus, the initial state of SR\ 1000 must be rejected. 

On the hypothesis free of contradiction, we can formulate other ones depicted 
in Table [6] 

Hypothesis 5 If the first bits of IS\ are (ao = 1, a\ = 1, a% = 1), then C3 will 
start at the 27" 1 position of C\ given rise to the column if 5. In row 23, 
i?5 and C3 have a common bit with contradiction (starred bits). Thus, 
the initial states of SR\ starting with bits 111 must be rejected. 

Hypothesis 6 If the first bits of IS\ are (ao = 1, a.\ = 1, 02 = 0, 03 = 0, 04 = 
1), then C3 will start at the 23 th position of C\ given rise to the column 
ii6- Bits 24 and 25 of G\ have been deduced from C\ in Hypothesis 1. In 
row 2, Hq and Cq have a common bit with contradiction (starred bits). 
Thus, the initial state of SRi 1100 must be rejected. 

From Hypothesis 5 and 6, Hypothesis 1 must be rejected. Remark that the 
configuration (ao = l,oi = 0, a2 = 0,03 = 1) in Hypothesis 3 is the only one 
free of contradiction. Thus, it corresponds to the actual initial state of SR\. 
The successive bits of SR±, that is the PA^-sequence {1,0,0,1,0,0,0,1,...}, 
are checked by the successive columns C4, C5, . . . , Cg of the shrunken sequence. 
Concerning the initial state of S'i?2, in Table [5] (column Solution) we can see 
that bits 64, 63, 62 can be obtained from the known bits of C\ in rows 23, 25 and 
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Table 5: Different hypothesis formulated on the bits of SRi 





C\ Hi C*2 C 2 


C\ H2 C2 


G\ H 3 Ci C 2 


C\ H4 C-2 














1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 

26 

27 

28 

29 

30 


1-00 

1-00 

1111 

1 - 1 

1 - 1 

0-11 

- - 

0-00 
0-11 

- - 

- - 

111 

1 - 1 


1 - 
1 - 

1 - 1 

1 

- 1 - 

- 1 - 

- 1 

- - 

0-0 

- 1 

1 0* 1* 

- - 

1 


1-00 
1-00 
1-11 

-1-1 
111 
-1-1 

- - 

0-00 
0-11 

1-11 

- - 

- - 

1 - 1 


1 1* 0* 
1 - 
1 - 1 

- 1 
1 

- 1 - 

1 



0-0 

- 1 

1 - 1 

- - 





Hypothesis 1 


Hypothesis 2 


Hypothesis 3 


Hypothesis 4 



27 respectively. In fact, 64 
equality 

bl = Z29-& = 2+8 + Z2-8 + 2 4-8 



1, 63 = 0, 62 = 1. The bit b\ in row 29 satisfies the 



(16) 



,,29 



as a + a" + a" = of in the extension held GF(2 L2 ). We know that z$ = 1, z\% = 
1 while Z32 can be easily deduced from the equality 214.8 = ^i-8 + 2 4-8 as 1 + a 4 = 
a 14 . Thus, z 32 = 1 + 1 = and substituting in b\ we get 61 = 1 + 1 + = 0. 

The final issues of Phases 1 and 2 are the initial states of both LFSRs 
IS X = (00,01,..., 03) = (1,0,0,1) and IS 2 = (b M,---M) = (1,0,1,0,1). 
From the knowledge of both initial states the whole shrunken sequence can be 
reconstructed. 
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Table 6: Different hypothesis formulated on the bits of SRi 





C\ H 5 


c 3 


C\ H 6 


c 3 


d ci 




1 

2 
3 

4 
5 
6 
7 
8 
9 


1 
1 
1 

1 
1 
1 



1 




1 1 
1 

1 1* 






1 
1 


1 


0* 


1 
1 

1 1 


1 


1 


1 

1 

1 


10 
11 
12 
13 

14 





- 


1 


- 




1 


15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 











1 



1 

1 1 




1 





1 0* 


1 


1 



1* 





1 



1 





1 



1 


29 
30 


— — 


— 


— — 


— 


1 












Hypothesis 5 


Hypothesis 6 


Solution 



5.4 Computational Features 

The computational complexity of the previous cryptanalytic attack can be con- 
sidered in two different phases: off-line and on-line complexity. 

Off-line computational complexity: This phase is to be executed before in- 
tercepting sequence. It includes: 

• Computation of the characteristic polynomials Pi (x) of the sub-automata 
RiR 2 ■ ■ ■ Ri (1 < i < I) by means of equation @ where I is related to 
the amount of intercepted sequence (I ■ 2 Ll_1 ~ r). This computation is 
necessary in order to obtain general expressions for the elements of the 
chained sub-triangles in the reconstruction procedure. 

• Computation of the positions of the bits bi (i = 1, 2, . . . , L% — 1) on C\ the 
first column of the shrunken sequence matrix by means of equation (115[) . 
This computation is necessary in order to determine the bits of the initial 
state of SR2- 
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• Computation of different elements of the extension field GF(2 L2 ) such as 
1 + a, 1 + a 2 , . . . , 1 + a l and linear combinations of them by means of the 
Zech log table method [T] for arithmetic over GF(2 m ). This computation 
is necessary in order to determine the distance between the intercepted 
sequence and the portions of reconstructed shrunken sequence. 

On-line computational complexity: This phase is to be executed after in- 
tercepting sequence. According to the previous subsections, the computational 
method consists in the comparison of series of bits coming from formulated hy- 
pothesis and from intercepted/reconstructed bits. The comparison is realized by 
means of bit-wise logical operations so the computational complexity is rather 
low. Occasionally, the computation of the any element of GF(2 L2 ) must be re- 
alized in order to determine additional elements of the fW-sequences. The most 
consuming time of this cryptanalytic attack is the search over the 2 Ll ~ 1 possible 
initial states of SRi (supposed oq = 1). Due to contradictions found in the first 
levels of the search tree, the exhaustive search can be dramatically improved. 
On average, we can say that in the worst case the search can be reduced to 
the half, so that the computational complexity of this attack is 0(2 Ll ~ 2 ). In 
addition, several considerations must be kept in mind: 

1 . The improved exhaustive search is carried out over the state space of the 
shortest register SR\. 

2. Every checking of hypothesis is realized only over the l's of the configu- 
ration under consideration, then the procedure speeds for configurations 
with a low number of l's. 

Finally, comparing the proposed attack with those ones found in the liter- 
ature we get that all of them are exponential in the lengths of the registers. 
In particular, the complexity of the divide-and-conquer attack proposed in [53] 
is 0(2 Ll ). The probabilistic correlation attack described in [T5] has a com- 
putational complexity of 0(L\ ■ 2 Ll ). Also the probabilistic correlation attack 
introduced in [14] is exponential in L2. In this work a deterministic attack 
has been proposed that improves the complexity of the previous cryptanalytic 
approaches. 

6 Conclusions 

This paper considers the linearization of pseudorandom sequence generators 
based on finite fields. More precisely, a wide family of traditional LFSR-based 
sequence generators, the so-called Clock Controlled Shrinking Generators, has 
been analyzed and modelled in terms of linear cellular automata. In this way, 
sequence generators conceived and designed as complex nonlinear models can 
be written in terms of simple linear models. An easy algorithm to compute the 
pair of one-dimensional linear hybrid cellular automata that generate the CCSG 
output sequences has been derived. The key idea of this modelling is just the 
concatenation of a basic structure repeated a number of times. In addition, a 
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cryptanalytic attack that reconstructs the output sequence of such generators 
has been proposed too. The cryptanalytic approach is deterministic and im- 
proves an exhaustive search over the states of the shortest register. Computing 
the initial state of the longest register is a direct consequence of the previous 
step. The attack exploits the linearity of these CA-based models as well as the 
characteristics of this class of generators. Applying the same schemes, we can 
develop linear cellular automata-based models to analyze/cryptanalyze wider 
classes of clock-controlled generators. 
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